Securing Your .NET and Other Applications
- Category: Security & Privacy
- Posted On: 8/16/2006
- Views: 3,927
I recently discussed the need to effectively authenticate an application's execution context with several members of the development community, including the Open Web Application Security Project and AZGroups.com. Here are some important points to consider when securing your application's execution context (i.e. verifying that your application is executing from trusted installation sites):
*The following points are made from the perspective of a .NET implementation, so please modify them as necessary for other languages, including any examples or references in your comments.- Secure the code itself
- "Strong name" your assemblies
- Use internal declarations and "InternalsVisibleTo" attributes to expose objects to trusted assemblies (make informed decisions about keywords that expose your code)
- Obfuscate your code
- Authenticate the Execution Environment
- Upon installation (even "copy-paste"), generate a unique, encrypted install key for the assembly in the trusted execution environment
- Could be in the registry (can be found and possibly cracked if a weak encryption algorithm was used)
- Could check IP (can be spoofed)
- Could check domain-name (can be spoofed)
- Could reside in memory (requires constant execution)
- Validate the key on execution
*A simple example for an ASP.NET application would be to have the application log itself on start-up (an application signature like a GUID, IP, domain name, etc.) and monitor the log.
- Category: Security & Privacy
- Posted On: 8/16/2006
- Views: 3,927